Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5j2OMdx64J.ps1

Overview

General Information

Sample name:5j2OMdx64J.ps1
renamed because original name is a hash value
Original sample name:d9e7a01521d956c5ef3e07153209be63da738eee98902050c06424292d7b1387.ps1
Analysis ID:1579865
MD5:a8e97fe5a7115e42759d67f7e4d88b0d
SHA1:7a4dce9165f34ca44e79b06f3a07281f6cf08823
SHA256:d9e7a01521d956c5ef3e07153209be63da738eee98902050c06424292d7b1387
Tags:lockbitlockbit40powershellps1ransomwareuser-TheRavenFile
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level

Classification

  • System is w10x64
  • powershell.exe (PID: 3552 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5j2OMdx64J.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5j2OMdx64J.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5j2OMdx64J.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5j2OMdx64J.ps1", ProcessId: 3552, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5j2OMdx64J.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5j2OMdx64J.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5j2OMdx64J.ps1", ProcessId: 3552, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: powershell.exe, 00000000.00000002.2069595265.000001F55688D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2069595265.000001F55683D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000000.00000002.2069595265.000001F556866000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: classification engineClassification label: clean3.winPS1@2/5@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3os2v5tg.4ff.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5j2OMdx64J.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2941Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1677Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2164Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
Process Injection
21
Virtualization/Sandbox Evasion
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory21
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
File and Directory Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets11
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1579865 Sample: 5j2OMdx64J.ps1 Startdate: 23/12/2024 Architecture: WINDOWS Score: 3 5 powershell.exe 11 2->5         started        process3 7 conhost.exe 5->7         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
5j2OMdx64J.ps10%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aka.ms/pscore6powershell.exe, 00000000.00000002.2069595265.000001F55683D000.00000004.00000800.00020000.00000000.sdmpfalse
    high
    https://aka.ms/pscore68powershell.exe, 00000000.00000002.2069595265.000001F556866000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2069595265.000001F55688D000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        No contacted IP infos
        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1579865
        Start date and time:2024-12-23 12:37:10 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 59s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:3
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:5j2OMdx64J.ps1
        renamed because original name is a hash value
        Original Sample Name:d9e7a01521d956c5ef3e07153209be63da738eee98902050c06424292d7b1387.ps1
        Detection:CLEAN
        Classification:clean3.winPS1@2/5@0/0
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 3
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .ps1
        • Stop behavior analysis, all processes terminated
        • Exclude process from analysis (whitelisted): dllhost.exe
        • Execution Graph export aborted for target powershell.exe, PID 3552 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: 5j2OMdx64J.ps1
        No simulations
        No context
        No context
        No context
        No context
        No context
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):64
        Entropy (8bit):0.773832331134527
        Encrypted:false
        SSDEEP:3:NlllulD/:NllUD
        MD5:D9ADDC8BC71EE61261940D67A7EFF73A
        SHA1:44DABE2479B4D251FC348A7198B3F5665BC48F5C
        SHA-256:3945C70445A1C3E3E162F1EE5EBBD03C93D3D4483316AE2AF1D9C025D0B204A7
        SHA-512:87100FEF4AB233A92DD99E02668390D1C546DEB0DB9E1E7C470E1AC9D63A36C64081E31262786128526FF2FE223E883DBF338587A55A961F6CB7C38A419967AE
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview:@...e.................................R.........................
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Reputation:high, very likely benign file
        Preview:# PowerShell test file to determine AppLocker lockdown mode
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Reputation:high, very likely benign file
        Preview:# PowerShell test file to determine AppLocker lockdown mode
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):6222
        Entropy (8bit):3.7011350338263562
        Encrypted:false
        SSDEEP:48:tGlquFyvQCGbU2K+YIyukvhkvklCywan2iQc7O7NlzCKSogZoxCQc7O7Nl4JCKSK:y5wvQCzofkvhkvCCt4a7NSHPa7N2yHq
        MD5:736B0CAC619BEE34513C51BD49074C3F
        SHA1:8EF2AD18969B5E4954D400372BE4024FA3B1AF46
        SHA-256:B400B8165352427A43BC5F5745B4A9BA15F58818546824911782113BB1BF5D47
        SHA-512:884D4D7EDCE95B1969ADAC5B1AB470E65689CB743E908343D7FCBCC13BE4C90920702BA259484E499433ED325CC132AF9FD7B8EFA81CF6A4C0384431C47ED158
        Malicious:false
        Reputation:low
        Preview:...................................FL..................F.".. ...d......P.../U..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....je../U...X../U......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y.\....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y.\..Roaming.@......DWSl.Y.\....C......................HD.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y.\....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Y.\....E.......................S.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y.\....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y.\....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Y.\....q...........
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):6222
        Entropy (8bit):3.7011350338263562
        Encrypted:false
        SSDEEP:48:tGlquFyvQCGbU2K+YIyukvhkvklCywan2iQc7O7NlzCKSogZoxCQc7O7Nl4JCKSK:y5wvQCzofkvhkvCCt4a7NSHPa7N2yHq
        MD5:736B0CAC619BEE34513C51BD49074C3F
        SHA1:8EF2AD18969B5E4954D400372BE4024FA3B1AF46
        SHA-256:B400B8165352427A43BC5F5745B4A9BA15F58818546824911782113BB1BF5D47
        SHA-512:884D4D7EDCE95B1969ADAC5B1AB470E65689CB743E908343D7FCBCC13BE4C90920702BA259484E499433ED325CC132AF9FD7B8EFA81CF6A4C0384431C47ED158
        Malicious:false
        Preview:...................................FL..................F.".. ...d......P.../U..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....je../U...X../U......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y.\....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y.\..Roaming.@......DWSl.Y.\....C......................HD.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y.\....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Y.\....E.......................S.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y.\....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y.\....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Y.\....q...........
        File type:ASCII text
        Entropy (8bit):5.26419921713938
        TrID:
          File name:5j2OMdx64J.ps1
          File size:274 bytes
          MD5:a8e97fe5a7115e42759d67f7e4d88b0d
          SHA1:7a4dce9165f34ca44e79b06f3a07281f6cf08823
          SHA256:d9e7a01521d956c5ef3e07153209be63da738eee98902050c06424292d7b1387
          SHA512:77126af7f207d4ab854e3293936c73591289ca97211823513941bdae60b9da48fc3b829e2819ef1230f86cb8761eab37f6dca61281b2dfc7209ce471af68422b
          SSDEEP:6:Q3WrMSlR2fyM+UCuGSYjue5uIIZPECDZsIxtMwwJAMc/J2:Q3WrMSlRo7CujYa1IIZsmZb+wwaBh2
          TLSH:10D097C303DC077B8063FB306BBC1618E2C40A0D253A8166A6F977CE0E0851C06AA7E4
          File Content Preview:for ($i = 0; $i -lt $args.count; $i++ ){$argument += $args[$i] + ' '} .$psFile=$PSCommandPath.$MaximumVariableCount=32567.#Seed: 79 Total Vars: 1. | % {$oav8q08q+=$_}.if ($psversiontable.PSVersion.Major -eq 2) { $psFile = $MyInvocation.MyCommand.Definiti
          Icon Hash:3270d6baae77db44
          No network behavior found

          Click to jump to process

          Click to jump to process

          Click to dive into process behavior distribution

          Click to jump to process

          Target ID:0
          Start time:06:38:00
          Start date:23/12/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5j2OMdx64J.ps1"
          Imagebase:0x7ff7be880000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Target ID:1
          Start time:06:38:00
          Start date:23/12/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Reset < >
            Memory Dump Source
            • Source File: 00000000.00000002.2074026120.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff849000000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 45ecec679b52c193d4e375fa5a18e745495c74a65b076d5eef96a653c1208a61
            • Instruction ID: ce48dfed74282066efd84f788cc159bba85762f63cfc5d80ef407a1a872054a5
            • Opcode Fuzzy Hash: 45ecec679b52c193d4e375fa5a18e745495c74a65b076d5eef96a653c1208a61
            • Instruction Fuzzy Hash: E6E12431D0EACA5FEBA6EB2C68155B5BBA0FF16794F0801FAD04DC71D3EA18D8458361
            Memory Dump Source
            • Source File: 00000000.00000002.2074026120.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff849000000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 11b79b3650824b24818eaa6ecc34ed4df3fb4d6e91c365f749439e7ac72c27a1
            • Instruction ID: 4818f377f0d15c61bd5e394f32032c39f79f84fb303b562ead51a67cb23f06d0
            • Opcode Fuzzy Hash: 11b79b3650824b24818eaa6ecc34ed4df3fb4d6e91c365f749439e7ac72c27a1
            • Instruction Fuzzy Hash: 9791D321D1EBC64FEBA6AB6C68655757FE0EF16694B0900FAC08DCB1D3E91CDC458312
            Memory Dump Source
            • Source File: 00000000.00000002.2073590054.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
            • Instruction ID: 5b8089a4e5ac97ec81968c90c8c0152ff70c4c312c89673f75f1aa8c9bb6f431
            • Opcode Fuzzy Hash: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
            • Instruction Fuzzy Hash: 2401677111CB0C4FDB44EF0CE451AA5B7E0FB99364F10056EE58AC3695D736E881CB45